In an unnerving twist, when a critical zero-day vulnerability was reported in a Unix administration tool, called Webmin, it was revealed the flaw was no accident. According to researchers, the vulnerability was a secret backdoor planted in the popular utility nearly a year before its discovery. The backdoor gave anyone with knowledge of its existence the ability to execute commands as root, meaning an attacker could take control of the targeted endpoint. According to Jamie Cameron, the author of Webmin, the bogus version was 1.890. Two additional versions were found with near identical backdoor code, version 1.900 and 1.920. An updated version of Webmin 1.930 and Usermin version 1.780 address the vulnerabilities. “Neither of these were accidental bugs – rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability,” Cameron wrote in a post outlining the issues. According to Cameron, the Webmin development build server was compromised on April 2018. He said that’s when a vulnerability was added to the “password_change.cgi” script. Cameron explained, by backdating the file it was reverted to a Github “checked-in” version of code and escaped scrutiny. The code then shipped with the 1.890 version of the Webmin release. Then in July 2018, the malicious actor behind the vulnerable version of the “password_change.cgi” script updated the file again. This time the change impacted the Webmin 1.900 release. “This time the exploit was added to code that is only executed if changing of expired passwords is enabled,” the author wrote. Things got interesting in Sept. 2018 when the vulnerable build server was decomissioned and replaced with a newly installed server running CentOS 7. However, the vulnerable code “was copied across from backups made on the original server,” the author explained. Either way, the bug only impacted systems with a specific configuration. “To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution,” according to a description of the bug. The bug itself surfaced at DEF CON 2019, when a researcher released zero-day research illustrating a bug (CVE-2019-15107) that made use of the vulnerability. It was this research that shed light on the malicious code injected back in July 2018. “In response (to CVE-2019-15107), the exploit code was removed and Webmin version 1.930 created and released to all users,” Cameron wrote. In response to the implanted malicious code Webmin said it would adopt new mitigations efforts such as: Updating the build process to use only checked-in code from Github, rather than a local directory that is kept in sync. Rotating all passwords and keys accessible from the old build system. _Auditing all Github checkins over the past year to look for commits that may have introduced similar vulnerabilities. _ Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.
The personal information more than a million users of popular adult website Luscious, including email addresses that sometimes indicated full names, were found exposed in an unsecured Elasticsearch database. The website, which focuses on anime-themed, user-uploaded adult content, has over 1 million registered users. Website users have a private profile allowing them to upload, share, and comment on the website’s pornographic content – while keeping their identities hidden behind usernames. However, researchers were able to access the personal details of 1.195 million user accounts, revealing their usernames and personal email addresses. Some personal email addresses reflected the full names of website users, researchers said. “The data breach gave our team access to 1.195 million user accounts on Luscious. All of these were compromised, revealing personal details of users with potentially devastating consequences,” said researchers with vpnMentor in a post this week. “The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers.” Click to Expand Researchers discovered the exposed data on Aug. 15. After being contacted on Aug. 16, the database was then secured on Monday. In addition to email addresses, researchers were also able to view user activity logs, which showed dates joined and recent log ins, as well as content, image and videos uploaded and blog posts written. They could also access the country of residence and gender for impacted users. For instance, researchers discovered 13,000 email addresses in “.fr,” showing that those users are from France. Of greater concern was the fact that researchers discovered dozens of “.gov” email accounts, indicating that the users were official government employees. These were emails tied to users from Brazil, Australia, Italy and Malaysia. Researchers said that they aren’t sure whether third-parties accessed the exposed database. However, if hackers were able to access the user data – particularly for something as sensitive as an adult dating website – it could be ruinous for victims’ relationships and personal lives. If a bad actor were to get their hands on this database, researchers said, they could use it in several harmful ways – including doxing (investigating an internet user’s identity and making it public), extorting users by threatening to expose them unless they pay a ransom, or phishing. “The impact of this data breach on users could be devastating, personally and financially,” they said. “Activity on adult sites like Luscious is the most private in nature, and nobody ever expects it to be revealed.” Insecure databases continue to be a security thorn in companies’ sides: In June for instance, three publicly accessible cloud storage buckets from data-management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers – including internal business documents, system passwords and sensitive employee information. In May, IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains. And in April, hundreds of millions of Facebook records were found in two separate publicly exposed app datasets. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.
Almost weekly now I hear from an indignant reader who suspects a data breach at a Web site they frequent that has just asked the reader to reset their password. Further investigation almost invariably reveals that the password reset demand was not the result of a breach but rather the site’s efforts to identify customers who are reusing passwords from other sites that have already been hacked. But ironically, many companies taking these proactive steps soon discover that their explanation as to why they’re doing it can get misinterpreted as more evidence of lax security. This post attempts to unravel what’s going on here. Over the weekend, a follower on Twitter included me in a tweet sent to California-based job search site Glassdoor, which had just sent him the following notice: The Twitter follower expressed concern about this message, because it suggested to him that in order for Glassdoor to have done what it described, the company would have had to be storing its users’ passwords in plain text. I replied that this was in fact not an indication of storing passwords in plain text, and that many companies are now testing their users’ credentials against lists of hacked credentials that have been leaked and made available online. The reality is Facebook, Netflix and a number of many big-name companies are regularly combing through huge data leak troves for credentials that match those of their customers, and then forcing a password reset for those users. Some are even checking for password re-use on all new account signups. The idea here is to stymie a massively pervasive problem facing all companies that do business online today: Namely, “credential-stuffing attacks,” in which attackers take millions or even billions of email addresses and corresponding cracked passwords from compromised databases and see how many of them work at other online properties. So how does the defense against this daily deluge of credential stuffing work? A company employing this strategy will first extract from these leaked credential lists any email addresses that correspond to their current user base. From there, the corresponding cracked (plain text) passwords are fed into the same process that the company relies upon when users log in: That is, the company feeds those plain text passwords through its own password “hashing” or scrambling routine. Password hashing is designed to be a one-way function which scrambles a plain text password so that it produces a long string of numbers and letters. Not all hashing methods are created equal, and some of the most commonly used methods — MD5 and SHA-1, for example — can be far less secure than others, depending on how they’re implemented (more on that in a moment). Whatever the hashing method used, it’s the hashed output that gets stored, not the password itself. Back to the process: If a user’s plain text password from a hacked database matches the output of what a company would expect to see after running it through their own internal hashing process, then that user is then prompted to change their password to something truly unique. Now, password hashing methods can be made more secure by amending the password with what’s known as a “salt” — or random data added to the input of a hash function to guarantee a unique output. And many readers of the Twitter thread on Glassdoor’s approach reasoned that the company couldn’t have been doing what it described without also forgoing this additional layer of security. My tweeted explanatory reply as to why Glassdoor was doing this was (in hindsight) incomplete and in any case not as clear as it should have been. Fortunately, Glassdoor’s chief information officer Anthony Moisant chimed in to the Twitter thread to explain that the salt is in fact added as part of the password testing procedure. “In our [user] database, we’ve got three columns — username, salt value and scrypt hash,” Moisant explained in an interview with KrebsOnSecurity. “We apply the salt that’s stored in the database and the hash [function] to the plain text password, and that resulting value is then checked against the hash in the database we store. For whatever reason, some people have gotten it into their heads that there’s no possible way to do these checks if you salt, but that’s not true.” CHECK YOUR ASSUMPTIONS You — the user — can’t be expected to know or control what password hashing methods a given site uses, if indeed they use them at all. But you can control the quality of the passwords you pick. I can’t stress this enough: Do not re-use passwords. And don’t recycle them either. Recycling involves rather lame attempts to make a reused password unique by simply adding a digit or changing the capitalization of certain characters. Crooks who specialize in password attacks are wise to this approach as well. If you have trouble remembering complex passwords (and this describes most people), consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker. In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember. According to a recent blog entry by Microsoft group program manager Alex Weinert, none of the above advice about password complexity amounts to a hill of beans from the attacker’s standpoint. Weinert’s post makes a compelling argument that as long as we’re stuck with passwords, taking full advantage of the most robust form of multi-factor authentication (MFA) offered by a site you frequent is the best way to deter attackers. Twofactorauth.org has a handy list of your options here, broken down by industry. “Your password doesn’t matter, but MFA does,” Weinert wrote. “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.” Glassdoor’s Moisant said the company doesn’t currently offer MFA for its users, but that is planning to roll that out later this year to both consumer and business users. Password managers also can be useful for those who feel encumbered by having to come up with passphrases or complex passwords. If you’re uncomfortable with entrusting a third-party service or application to handle this process for you, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop or screen or whatever, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe. Although many readers will no doubt take me to task on that last bit of advice, as in all things security related it’s important not to let the perfect become the enemy of the good. Many people (think moms/dads/grandparents) can’t be bothered to use password managers — even when you go through the trouble of setting them up on their behalf. Instead, without an easier, non-technical method they will simply revert back to reusing or recycling passwords.
Microsoft is calling on researchers to help sniff out any security glitches in the beta version of its new Chromium-based Edge browser before officially pushing it live. The tech company has been working to build a new version of Edge based on Google’s open-source Chromium code, as opposed to its previous EdgeHTML proprietary browser engine. Now, with the Tuesday release of the beta version of the new browser, Microsoft has also extended its existing Edge bug -bounty program to now include the “Microsoft Edge Insider Bounty,” aimed at whacking any security issues in this latest version. “We’re excited to expand our bounty programs today to include the next version of Microsoft Edge and continue to grow and strengthen our partnership with the security research community,” Jarek Stanley, senior program manager at Microsoft, said in a Tuesday post.“We welcome researchers to seek out and disclose any high-impact vulnerabilities they may find in the next version of Microsoft Edge, based on Chromium, and offer rewards up to US $30,000 for eligible vulnerabilities in Dev and Beta channels.” Researchers can earn between $1,000 up to $30,000 for finding critical or important vulnerabilities in Microsoft Chromium Edge Beta and Dev channels. In-scope flaws include elevation of privilege flaws, remote code execution, information disclosure and other vulnerabilities. “The goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to uncover vulnerabilities that are unique to the next Microsoft Edge which have a direct and demonstrable impact on the security of our customers,” Microsoft said. “Vulnerabilities that reproduce in the latest, fully patched version of Windows (including Windows 10, Windows 7 SP1 or Windows 8.1) or MacOS may be eligible for the Microsoft Edge Insider bounty program. Windows Insider Preview is not required.” Since Microsoft pulled the plug on the old Edge browser, the new Chromium-based Edge has been in developer testing for the past few months, with the first builds of Chromium Edge becoming available in April, including the Canary and dev versions. In launching Chromium Edge, Microsoft said it hopes to both align its web platform better with web standards and other Chromium-based browsers: “This will deliver improved compatibility for everyone and create a simpler test-matrix for web developers,” said Windows corporate vice president Joe Belfiore in 2018. Bounty information. Previous builds have garnered 1 million downloads and Microsoft has received 140,000 feedback responses, it said on Tuesday. The first public beta – which is the third and final preview channel to come online before the browser launches – is available for Windows 7, Windows 10 and MacOS. The company has not said when it will publicly release Chromium Edge, but reports point to late 2019 or early 2020. A full list of the in-scope vulnerabilities – and subsequent rewards – as well as terms of conditions of the Edge Insider Bounty Program can be found here. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.
A ransomware that calls itself “Syrk” is targeting gaming juggernaut Fortnite’s enormous user base, purporting to be a game hack tool. Syrk promises players an “aimbot” for aiming more accurately while playing, and “ESP,” for discovering other player’s locations in the game. What it really gives them is a headache of a computer infection that locks up their machines and demands a ransom. If left unpaid, Syrk will delete batches of files every two hours. According to an analysis on Tuesday by researchers at Cyren, Syrk ransomware is actually the Hidden-Cry ransomware that’s been given a .Syrk extension. “The source code for Hidden-Cry is readily available, having been shared on Github at the end of last year,” the researchers noted, adding that the reskinned malware could begin cropping up in many different places. “We expect [Syrk] to possibly be distributed via an upload to a sharing site and the link posted in Fortnite users in forums,” they said. The Syrk ransom note. Click to enlarge. Once the payload is executed, it connects to a command-and-control (C2) server and disables Windows Defender and UAC through a registry tweak. It then sets about encrypting a range of file types, including .gif, .sln, .docx, .php, .psd, .ico, .mov, .xlsx, .jpg, .xls, .doc, .pdf, .wav, .pptx, .ppt, .txt, .png, .bmp, .rar, .zip, .mp3, .mp4 and *.avi. It gives the encrypted files the .syrk extension. It also monitors for Taskmgr, Procmon64 and ProcessHacker, which could interrupt its processes. “The next step is it will set a timed procedure to try and delete the encrypted files in the directories listed below, deleting the files every two hours in the following order: %userprofile%Pictures; %userprofile%Desktop; and %userprofile%Documents,” the researchers wrote. At the same time, it starts using LimeUSB_Csharp.exe to infect USB drives if they exist. “Combining game malware with ransomware was inevitable,” Chris Morales, head of security analytics at Vectra, told Threatpost. “Social engineering through online video games has been going on for some time [including around Fortnite]. It is a large audience to target and an industry that is known to look for shortcuts. Malware posing as a hack tool is novel as it will not be validated by any app store and bypasses the normal security controls. This makes encrypting files using a game hack highly opportunistic and easy to execute.” He added, “This ransomware is effectively cheating the cheater.” The good news is that Cyren researchers found that it’s possible to both decrypt the encrypted files, and recover those that were deleted. “The file dh35s3h8d69s3b1k.exe is the Hidden-Cry decrypting tool, and can be found as one of the resources embedded in the main malware,” they explained. “Since the key used is already known, it can be used to create a PowerShell script based on the shared source of the Hidden-Cry decrypter. To do this, extract the embedded file dh35s3h8d69s3b1k.exe and execute the file in the infected machine. It will drop the necessary PowerShell script needed to decrypt the files.” As for recovery, “One principle feature of the Hidden-Cry ransomware is that, as seen in the instructions shown, is the sense of urgency it creates in the victim by deleting files every two hours,” they wrote. “However, we believe it is possible for victims to recover deleted files, given the simple method used to delete the files.” Threatpost has asked for more details on that process and will update this post accordingly. Fortnite has become a global phenomenon, claiming to have 250 million players (the Fortnite World Cup also just ended, which offered a $30 million prize pool — indicative of its popularity). Alex Guirakhoo, strategic intelligence analyst at Digital Shadows, told Threatpost that cybercriminals are always interested in the gaming world, and especially those with large, invested communities. “The video game industry, and gamers in general, are lucrative targets for cybercriminals,” he said. “Gamers are attractive targets for this kind of attack as they likely have computers with powerful graphics cards, which are heavily sought after for cryptocurrency mining because of their performance. A lot of this builds on the wide media attention that popular games receive on social media and sites such as Twitch or YouTube. The more attention a game gets because of a new release or update, the more likely it is that a cybercriminal will be able to successfully distribute malware.” For example, trojans like MonsterInstall have been distributed on websites which claim to offer hacks and cheats for various popular and competitive video games like CS:GO, Minecraft and FIFA. “When trying to download a hack, the user instead downloads a password-protected 7ZIP archive, which contains the purported hack files as well as the MonsterInstall trojan,” Guirakhoo said. “The trojan then acts as a downloader for a malicious cryptocurrency miner.” He added, “Additionally, we’ve also seen threat actors hijack game updates to push malware, or distribute malware disguised as legitimate apps for popular games like Fortnite or Apex Legends.” Further, financially motivated types aren’t the only ones eyeing the gamer community. “Even advanced nation-state threat actors like the China-linked Winnti Group and APT41 see this sector and demographic as lucrative: They have conducted supply chain compromise attacks by targeting video game distributors for popular games like League of Legends or Path of Exile,” he explained. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register. _ _ _ _
Cloud-based storage and infrastructure provides myriad benefits for any organization, like letting them avoid the costs of expensive hardware and granting them quick access to infrastructure as needed. Companies can use cloud services for minutes or years, depending on their needs. However, there is a darker side to this picture, in which cybercriminals can take advantage of the cloud if the infrastructure is not set up correctly and secured. According to the Cloud Adoption & Risk Report released by McAfee earlier this year, there has been a 27.7 percent increase in cloud-related security incidents from the last year. With 65 percent of organizations using some form of an infrastructure-as-a-service (IaaS) model, organizations need to be aware of the risks that cloud-based options bring, and ensure that security is a top priority when deploying them. Many people believe data security is the purview of cloud provider platforms like Amazon Web Services (AWS) and Microsoft’s Azure. But AWS and others use a shared-responsibility model: Amazon takes the responsibility of securing its infrastructure, but the customer is responsible for configuring their environment securely. This includes ensuring that data is not shared inappropriately, identifying when a system is misused and enforcing compliance and/or governance policies (e.g., GDPR, PCI DSS, etc.). As the McAfee report shows, the shared responsibility model for IaaS requires organizations to secure user access, data, applications, operating systems and network traffic. This leaves just the hypervisor, infrastructure, and physical systems up to the provider to secure. This situation has led to a number of exposures and breaches of sensitive data because of an oversight on the part of cloud customers. For instance, in the Capital One data breach in July 2019, the financial giant used secure AWS as a platform, but a misconfiguration coupled with an ill-intending former employee of Amazon resulted in a massive data breach. About 140,000 Social Security numbers, 80,000 bank account numbers and details from more than 100 million consumer-credit applications were compromised. Capital One’s cloud-related breach isn’t uncommon. In 2010, Microsoft had a breach in its Business Productivity Online Suite (BPOS). Like the Capital One breach, Microsoft’s was also the result of a configuration issue in Microsoft’s data centers. And since this incident, the misconfiguration problem has snowballed, with multiple data exposures every month being reported from companies of all stripes. The stakes are high: One misconfigured server is all it takes, and the door is wide open for cybercriminals to steal all kinds of data. There are other dangers too: Cybercriminals that utilize Magecart malware have been automatically compromising domains and websites with credit-card skimmers by actively scanning for misconfigured Amazon S3 buckets. Setting Up the Cloud The biggest problem is that when deploying cloud environments, many pieces need to be configured, including the routing and firewall rules that grant access to the servers being deployed, the servers themselves, and the application-level firewalls and access rules within those servers. With so many components, and with effectively non-existent security in most default configurations, it is easy to see why one or more components may be deployed in an insecure state. Even when users go through these configurations, some settings (like access control lists or ACLs) can be extremely long and complex to manage. This means that extensive testing is required to validate each rule. When time is insufficient, insecure settings may persist. According to the Cloud Security Alliance’s report Top Threats to Cloud Computing: Egregious Eleven, “[a]n absence of effective change control is a common cause of misconfiguration in a cloud environment. Cloud environments and cloud computing methodologies differ from traditional information technology (IT) in ways that make changes more difficult to control.” This is because unlike in on-premise deployments, “infrastructure elements that were static in the corporate data center are now abstracted to software in the cloud.” Securing the Cloud from Stormy Weather Misconfigurations may be common, but now that 21 percent of files in the cloud contain sensitive information, businesses must improve their data-security game with a multi-point security approach. Generally speaking, network traffic analytics and user behavioral analysis can be used to spot anomalies that can alert IT to misconfigurations – as well as exposures that occur due to misconfigurations. Since cloud platforms are inherently network-connected deployments, network traffic is a major way to understand how data is moving across these systems. In the case of AWS, Virtual Private Cloud (VPC) log information provides a clear picture of how data traverses Amazon’s network to individual systems within AWS. But VPC logs don’t provide a complete picture if the system can be accessed outside the corporate network. Organizations must also ensure that access to cloud systems is restricted to individuals that authorized to tap into specific data on the corporate network. By requiring individuals to be physically present and authenticated on the network, organizations can track user behavior from everyone on the network. When physical presence isn’t possible, such as with remote employees, organizations should require employees to log on through the corporate VPN or other service that requires proper authentication (single sign-on, token validations, valid user credentials for corporate access, etc.), before connecting to corporate resources. Meanwhile, network analysis alerts organizations when employees communicate with cloud systems they don’t regularly connect to, and it allows security teams to spot potentially unauthorized access when a new connection takes place. For example, it would be strange to have members of human resources or marketing connecting to a cloud system that maintains research and development resources, especially if the individual has never connected to the system before. In such instances, security teams can identify misconfigurations — and also any additional problems like stolen employee credentials, rogue employees and malware, based on the network traffic patterns. Finding the Data Leak in the Cloud As mentioned, network traffic can be a foundational resource for finding misconfigurations. While ACLs are crucial to stopping unauthorized connections, network traffic should also be used to verify that the rules are working as intended. By seeing how resources communicate with one another, network and security teams can see when rogue agents are connecting to privileged resources or violating firewall rules. When security protocols are in place, and network traffic can verify that no unauthorized connections are taking place, businesses can verify that their cloud deployments are functioning as intended. As the number of connections and the threat landscape grow, businesses must ensure their cloud buckets are properly configured, and that users are not abusing systems or being granted unauthorized access. Adding a few extra layers of security can go a long way in that effort. Justin Jett is director of Audit and Compliance for Plixer. Please check out all of the latest posts in our Infosec Insider Community.
Apple’s most recent operating system update, iOS 12.4, accidentally unpatched a fix that had been issued in a previous update — leaving devices vulnerable to code execution and privilege-escalation attacks. The flaw also allows phones to be jailbroken — and a public jailbreak has just been released to take advantage of it on phones running the latest version of iOS. The blunder, first reported by Motherboard, means that Apple devices that are fully updated to the most recent iOS version are open to a vulnerability that had previously been patched in May as part of the iOS 12.3 update. The flaw, (CVE-2019-8605), a use-after-free issue existing in the kernel, could enable a malicious application to execute arbitrary code with system privileges in iOS devices, including the iPhone 5s and later, iPad Air and later, and the iPod touch sixth generation. The bug was initially discovered by Google Project Zero research Ned Williamson, who after the initial patch published an exploit for iOS 12.2, dubbed “SockPuppet,” that utilized the vulnerability to “achieve the kernel_task port on iOS 12.2 on [the]iPhone 6S+.” While Williamson’s exploit offered the ability to jailbreak in iOS 12.2, on Aug. 18 a hacker under the alias “Pwn20wnd” on Github released various fine-tuned jailbreaks for the latest version of iOS, based on SockPuppet. After its release, iPhone users flocked to Twitter to show their successful attempts at jailbreaking their own phones — a method to escape Apple’s limitations on what apps and code can run on the iPhone. It’s useful for those wanting to install custom code, add features or perform security research outside the purview of the Apple ecosystem. “You will have to upgrade to iOS 12.4 if you are on iOS 12.3 to use the latest jailbreak – Enjoy,” said Pwn20wnd on Twitter. Security researchers: Are you waiting for Apple’s research iPhone program? You can save a lot of time by picking one up at an Apple Store right now and running the #unc0ver #jailbreak on it. — Pwn20wnd is reviving 0-Days (@Pwn20wnd) August 19, 2019 Public iOS jailbreaks are not common, especially for up-to-date phones – in fact, this is the first public jailbreak released in years that addresses fully updated phones. Malicious attacks on jailbroken phones allow privilege escalation and full hacks of Apple devices; and because this vulnerability could be exploited via a malicious app to jailbreak phones, security researchers like Stefan Esser are warning iPhone users with the most up-to-date patch to be extra cautious of any apps that they download – even those from the official App Store. I hope people are aware that with a public jailbreak being available for the latest iOS 12.4 people must be very careful what Apps they download from the Apple AppStore. Any such app could have a copy of the jailbreak in it. — Stefan Esser (@i0n1c) August 19, 2019 Blake Collins, research analyst at SiteLock said in an email that the jailbreak makes phones an easier target for malware and spyware. “In this instance with iOS 12.4, there was an internal misstep where important code was removed,” Blake Collins, research analyst at SiteLock, said in an email. “With this update, phones can be jailbroken again and are now vulnerable to spyware or worse. The implications for this are far-reaching.” In addition, the vulnerability makes the personal and private data on vulnerable iPhones more accessible “in unforeseen ways,” he said. “Photos, emails, phone numbers and possibly even banking data could be stolen if you installed an app that was able to exploit these escalated privileges,” said Collins. “For those who want to have the flexibility that comes with a jailbroken phone, it’s critical that you’re educated on all the vulnerabilities and security issues this opens up for you.” Apple has not responded to a request for comment from Threatpost on the incident, or whether a patch is being released. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.
A phishing campaign that spoofs a PDF attachment to deliver Adwind spyware has been taking aim at national grid utilities infrastructure. Adwind, a.k.a. JRAT or SockRat, is sold as a malware-as-a-service. It offers a full cadre of info-gathering features, including the ability to take screenshots, harvest credentials from Chrome, Internet Explorer and Microsoft Edge, record video and audio, take photos, steal files, perform keylogging, read emails and steal VPN certificates. The phishing email was sent from a hijacked account at Friary Shoes, according to Milo Salvia, researcher at Cofense. It merely says, “Attached is a copy of our remittance advice which you are required to sign and return,” with an embedded button purporting to point to a PDF file. When a victim clicks on the button though, they’re redirected to a malicious web address; Salvia wrote in an analysis Monday that the cybercriminals are abusing the Fletcher Specs domain to host the malware. Once the victim lands there, a payload is automatically downloaded to the target machine. The initial payload has a fake PDF file extension to obfuscate the fact that it’s actually a .JAR file. In the background, it creates two Java.exe processes, which load two separate .class files containing the Adwind malware. It then beacons out to its command-and-control (C2) server, according to Salvia. And, it tries to stay hidden with another executable file, takskill.exe, which looks for popular antivirus and malware analysis tools and then disables them, the researcher wrote. Adwind has made bypassing and disabling security tools a hallmark. Last year, a new variant emerged that used a fresh take on the Dynamic Data Exchange (DDE) code-injection technique for anti-virus evasion. “Tricking end users into clicking on malicious links or attachments continues to be the most successful means for bad actors to gain access,” said Bob Noel, vice president of strategic relationships for Plixer, via email. “As is true in the case of the Adwind remote access trojan, once malware lands on a device, it often has the ability to disable antivirus and other types of endpoint detection agents loaded on the device.” Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.
Two high-risk vulnerabilities in the VLC media player could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim’s PC. The flaws were made public Monday by the developer of the open-source VLC media player, VideoLAN project, who also made patches available to mitigate the issues. In total, 15 VLC bugs were made public. In addition to the two high-risk bugs, five were rated medium, three low and others remain unrated. Eleven of the flaws were found by Antonio Morales, a researcher at the Semmle Security Team. Exploitation of any of the bugs would be straightforward, Morales wrote Threatpost in an email interview. “A hypothetical scenario: an attacker uploads the video file to a tracker Torrent using a filename of a trending TV series,” he wrote. “After this, a lot of users download the file via Torrent. The victims only need to open the video file to trigger the vulnerability. This scenario can be applied to all the vulnerabilities.” High-Risk Bugs Morales said the most troubling of the flaws is a buffer overflow bug (CVE-2019-14970) in the MKV demuxer – a component responsible for multiplexing digital and analog files. “This is an out-of-bounds (OOB) write (heap overflow) vulnerability that affects the .mkv file format,” Morales wrote. The researcher also singled out a similar bug (CVE-2019-14438), which allows an attacker to gain access to a PC using a booby-trapped .MKV video file. MKV is technically a video container format, similar to the .AVI, .ASF, and .MOV formats. “An attacker could execute code in VLC execution context. This means that an attacker could perform the same actions that the legitimate user can, but without the consent of the user and without user noticing it. In quite a number of cases, the attacker could take the control of the computer also,” Morales told Threatpost. “A user only needs to open the file to trigger the vulnerability (double-click is enough).” Other Issues VLC player medium-risk bugs (CVE-2019-14437, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14533) also could be abused an attacker scenario where content is maliciously planted for download. Two additional security issues, with pending CVE IDs, were reported by Scott Bell from Pulse Security. Researcher Hyeon-Ju Lee is credited for identifying CVE-2019-13602. And Xinyu Liu is credited for finding CVE-2019-13962. All bugs have been confirmed with VideoLAN project, Morales said. That’s in contrast to last month, when a German security agency reported that a critical vulnerability existed in VLC that it claimed could enable remote code-execution and other malicious actions. It turned out the media player in that instance was not vulnerable. The new vulnerabilities impact VLC version 22.214.171.124. The current updated 3.0.8 version fixes those bugs. According to VideoLAN, the updates have not been pushed out to users; however, users can manually update their client by directly downloading the most recent version. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.
Apple has sued startup Corellium for copyright infringement, alleging that the company has developed “exact digital replicas” of its iPhone operating system without authorization – from the code down to the graphical user interface. While details about Florida-based Corellium on its website are slim, a Forbes report from 2018 said that the company has created virtual software (available via a Corellium web-based platform) simulating iOS and iTunes. Essentially, the company sells access to virtual machines that run the operating system replicas, which can be used as a test bed for hackers and software developers to do anything from testing their apps on various hardware to sniffing out vulnerabilities. However, Apple’s lawsuit claims that Corellium’s true goal is “profiting off its blatant infringement,” rather than finding security vulnerabilities in its software: “The purpose of this lawsuit is not to encumber good-faith security research, but to bring an end to Corellium’s unlawful commercialization of Apple’s valuable copyrighted works,” according to Apple’s lawsuit, filed last week in the U.S. District Court for the Southern District of Florida. “Accordingly, Apple respectfully seeks an injunction, along with the other remedies described below, to stop Corellium’s acts of naked copyright infringement.” Corellium’s website does not offer further descriptions of its products or services other than to describe them as “mobile device virtualization: The future of mobile development.” The website does tout an intellectual property policy, which says Corellium “respects the intellectual property rights of others and expects its users to do the same” – but does not touch directly on Apple software. According to Apple’s lawsuit, Corellium offers licensing for private installations to entities – installing a full version of its cloud-based product on a customer’s premises – for $1 million a year. “Such private installations of the Corellium Apple Product copy, modify and display Apple’s copyrighted works,” Apple said. Apple also expressed concerns over the security testing functionalities of Corellium’s products; the company makes no effort to confine use of its product to good-faith research and testing of iOS, and does not require users to disclose any software bugs discovered to Apple, the lawsuit says. The lawsuit comes after Apple has made important strides around vulnerability disclosure. At Black Hat USA 2019 in August, Apple bumped up its bug bounty rewards to include a hefty $1 million payout for finding a network attack with no user interaction that could lead to zero-click kernel code execution with persistence. Apple also confirmed reports that it will give security researchers special iPhones that will make it easier for them to find weaknesses in its smartphone, in a new program called “iOS Security Research Device Program.” The phone will have special features – such as advanced debug capabilities – and will be available to researchers next year. “Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher,” Apple said in its lawsuit. “Not only does Apple publicly credit researchers for reporting vulnerabilities, it has created several programs to facilitate such research activity so that potential security flaws can be identified and corrected.” Thomas Reed, director of Mac and Mobile for Malwarebytes, told Threatpost that Apple has long defended requirements to run products like macOS only on Apple hardware; For instance, companies like MacStadium that run banks of Mac virtual machines are allowed to do so only if those virtual machines are running on Mac hardware. “Based on this, it’s quite obvious that Apple would sue Corellium based on its service that offers remotely hosted iOS virtual machines, which are not running on Apple hardware,” he said. “I would guess that it is a certainty that Apple will be able to prevent Corellium from continuing to provide this service. However, “on the other hand, I really wish there were some way Corellium could work out a deal with Apple to continue providing this service. It would be quite useful, not just for security researchers and jailbreakers, but also for iOS developers,” said Reed. “From what I hear, Corellium’s service is far superior to Apple’s Simulator app for iOS developers.” Corellium did not immediately respond to a request for comment from Threatpost. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com